I am trying to configure L2TP/IPSec for my Road Warriors. When I define IPSec policy with source address 1.1.1.0/24 and destination address 1.1.2.0/24 then I am getting "failed to pre-process ph2 packet" error but when I configure Src. Address 0.0.0.0/0 and define same in Dst. Address then I can login via L2TP VPN user accouns. After the login I can see dynamic entry in IPSec policy tab but it says tunnel "no"
I can see same entry in Installed SAs tab and I also see Encoding ( cbc(aes) + hmac(sha1) ) under Active Connection tab of my active user.
I wonder if someone can explain why I can't see "yes" under tunnel column for my active L2TP connection in IPSec policy tab? Why I can't connect via VPN when I define Src. & Dst Address in my IPSec Policy?
Anyone got any idea?
Re: L2TP over IPSec RoadWarrior
Hi,
Did you use the option tunnel=yes in your IPsec policy ?
Did you use the option tunnel=yes in your IPsec policy ?
Re: L2TP over IPSec RoadWarrior
Hi seb4itik,
I have few VPN issues but I want to go step by step. If you can help me and the community. Here I am trying to build L2TP over IPSec. L2TP working fine and I can access everything on the remote end but IPSec not working. I don't have static IP on remote site. When remote MT connect with my MT via L2TP then DHCP assign 192.168.43.6 ip address to remote MT that's why I am using 192.168.43.6 in SA Dst. Address in IPSec policy. I have couple of VLANs working on remote side which I want to access from my end.
Installed SAs under IPSec is blank. I have tried different configurations but nothing worked. Please check the following configuration.
I have few VPN issues but I want to go step by step. If you can help me and the community. Here I am trying to build L2TP over IPSec. L2TP working fine and I can access everything on the remote end but IPSec not working. I don't have static IP on remote site. When remote MT connect with my MT via L2TP then DHCP assign 192.168.43.6 ip address to remote MT that's why I am using 192.168.43.6 in SA Dst. Address in IPSec policy. I have couple of VLANs working on remote side which I want to access from my end.
Installed SAs under IPSec is blank. I have tried different configurations but nothing worked. Please check the following configuration.
Re: L2TP over IPSec RoadWarrior
Hi,
Did you check Use IPsec option in L2TP server configuration ?
Following is the a copy of a configuration that works.
192.168.10.0/24 is office network, 172.30.0.0/24 is for L2TP addresses and 172.31.0.0/24 is remote (teleworker) LAN.
The teleworker is behind a nated router with dynamic public IP address.
Server configuration:
Client configuration:
Did you check Use IPsec option in L2TP server configuration ?
Following is the a copy of a configuration that works.
192.168.10.0/24 is office network, 172.30.0.0/24 is for L2TP addresses and 172.31.0.0/24 is remote (teleworker) LAN.
The teleworker is behind a nated router with dynamic public IP address.
Server configuration:
Code: Select all
:global IPsecSecret "XXX"
:global L2TPUser "teleworker001"
:global L2TPPass "YYY"
# PPP profil for L2TP server
/ppp profile
add local-address=172.30.0.254 name=prof_L2TP only-one=yes use-compression=yes use-encryption=no use-vj-compression=yes
# L2TP remote user
/ppp secret
add name=$L2TPUser password=$L2TPPass remote-address=172.30.0.1 service=l2tp
# L2TP server
/interface l2tp-server server
set enabled=yes default-profile=prof_L2TP use-ipsec=yes ipsec-secret=$IPsecSecret
# Disable NAT between local network and remote IPsec networks
/ip firewall nat
add chain=srcnat action=accept src-address=192.168.10.0/24 dst-address=172.31.0.0/24 place-before=0Code: Select all
:global L2TPServer "1.2.3.4"
:global IPsecSecret "XXX"
:global L2TPUser "teleworker001"
:global L2TPPass "YYY"
# L2TP client
/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=$L2TPServer disabled=no \
name=l2tp-out1 password=$L2TPPass profile=default user=$L2TPUser
# Peer IPsec
/ip ipsec peer
add address=$L2TPServer/32 secret=$IPsecSecret
# Policy IPsec
/ip ipsec policy
add dst-address=192.168.10.0/24 sa-dst-address=$L2TPServer src-address=172.31.0.0/24 tunnel=yes
# Do not masquerade to remote network
/ip firewall nat
add chain=srcnat action=accept dst-address=192.168.10.0/24 src-address=172.31.0.0/24 place-before=0Re: L2TP over IPSec RoadWarrior
Hi,
Sorry for late reply but thanks for your help. I changed few things from the config you provided and it is working now.
Thanks for your help
regards
Sorry for late reply but thanks for your help. I changed few things from the config you provided and it is working now.
Thanks for your help
regards
Who is online
Users browsing this forum: tdw and 82 guests